Skip to content

Strenghten security #7

New issue
New issue
Open
Open
Strenghten security#7
@maathieu

Description

@maathieu
maathieu
opened on Aug 14, 2019

Hi,

Thank you for this great script 👍

A few useful remarks...

  • It is possible to edit files above DEFAULT_DIR by putting the url directly in p=
  • The config parameter "ALLOW_SHELL" is not included in the list at the beginning of the file and it is set to "true" by default, it should be set to "false"
  • editor.php should never ever be able to edit itself or its companion editor.config.php
  • there should be a config option to restrict the list of files that can be edited by editor.php, for example to an array of set files, or a wildcard. Both the file browser and the editor would then enforce those restrictions.

All the above would help strenghtening security of the script and the website it belongs to in case of a hack.

  • There is an experimental feature that does something with downloading a version of editor.php directly from github, what is it used for?

Best regards,

maathieu

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions